Demystifying SOC reports: what, why & how?

Financial services business, especially those within the asset management, investment management and private equity sectors, will have noticed a recent sea change with potential investors and customers demanding much more transparency, rigour and security from those they might trust with their wealth.
With investors, clients and even their auditors now seeking evidence of a strong system environment and control framework from firms as well as assurance regarding financial processes, Service Organization Controls (SOC) reports (also known as ISAE3402, SSAE16 or even SAS70 reports in old money) can prove to be a much needed tool in a firm’s armoury. In fact, if used properly, SOC reports can not only provide confidence and help to build long-lasting relationships, they can also help give you a competitive advantage.
What are SOC reports?
Being more than a standard health check, a SOC report is a valuable tool that provides independent assurance to investors that an organisation has robust financial controls in place. As the reviews are conducted on an annual basis, clients can be assured that your financial controls have been subject to rigorous testing and continue to meet industry best practice.
Service organisations can choose to commission a Type 1 or Type 2 report:
Type 1 – looks at the description and design of the controls in place in the organisation;
Type 2 – as well as looking at control description and design, this report addresses the operating effectiveness of those controls over a given period (not less than six months).
For Type 1 reports, the reporting accountant will seek to verify that the procedures and controls as described by management have been implemented. The reporting accountants will express an opinion on whether management’s description fairly presents the service organisation’s control system, and whether the controls were suitably designed.
For Type 2 reports, the reporting accountant will also seek evidence on the operational effectiveness of the stated procedures and controls over the complete period specified, performing tests as appropriate. They will also express an opinion on whether the controls operated effectively throughout the specified period. Where exceptions have been found, such as controls not operating effectively, these will be reported.
SOC report benefits
You will be familiar with the challenge of managing demands from your clients’ auditors or fund administrators for access to your systems to test the adequacy of internal controls. With a SOC report in place, rather than each fund administrator/audit firm coming to your premises to conduct their own tests, they can use the report to gain assurance on the adequacy of controls in place.
SOC reports can also help attract and retain international business and investor clients. Clients and investors, particularly from the US, increasingly ask to see SOC reports to gain assurance on the quality of controls being operated by firms. This may even be a pre-requisite for doing business.
Some Moore Stephens clients of ours have used their SOC report proactively as a marketing tool to gain a competitive advantage over rivals by showing that effective controls have been implemented and, depending on the type of report, operated effectively over a given period.
SOC reports can also play a part in risk management concerning the delivery of services to clients. Stakeholders in service organisations can gain peace of mind as to the operational effectiveness of their controls and hence their ability to provide services consistently and securely.
How we can help
Our Governance, Risk & Assurance team have a vast amount of experience providing assurance services to financial services client, including completing SOC reports. Our experts will be happy to discuss the potential suitability and benefits for your organisation of commissioning a SOC report. For more information please contact us here.

Leave a comment

 Security code